II. Discussion and Analysis of the OMB Do Not Pay Guidance

The best starting point for understanding the OMB Do Not Pay memo is with the legal framework behind the Do Not Pay Initiative. The Initiative derives from a combination of little-noticed executive orders and updates to existing laws.

In 2009, Executive Order 13520, Reducing Improper Payments, [29] directed agencies to identify “ways in which information sharing may improve eligibility verification and pre-payment scrutiny.” This was the start of the current Do Not Pay Initiative.

In 2012, Congress followed the 2009 Executive Order up with additional legislation, The Improper Payments Elimination and Recovery Improvement Act of 2012, [30] or IPERIA. IPERIA amends an earlier law, the Improper Payments Information Act of 2002. [31] The important thing about IPERIA is that it gave OMB additional authority to allow the use of new databases for the Do Not Pay Initiative. IPERIA also authorized OMB, acting to implement the law, to issue guidance in the application of the law. On August 16, 2013, OMB issued the memo – the main subject of this report – to agencies with instructions on how to implement Do Not Pay Initiative. The OMB memo has the interesting title Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative. [32]

The OMB Do Not Pay memo provides for expanded use of commercial data brokers by federal agencies and, most importantly for present purposes, it establishes new privacy standards for the databases used in the Do Not Pay Initiative. Its extension of privacy standards to commercial databases purchases by the federal government is groundbreaking.

As discussed, the Do Not Pay List that will be a single point of entry for agencies to access data to determine eligibility for a federal award or payment went live in April, 2012.

Analysis of The Do Not Pay Memorandum

The new OMB Do Not Pay memorandum is long and complex. In essence, the memo seeks to use the federal government’s marketplace power to set privacy standards for private sector information services that affect individual rights, at least for services that the federal government purchases.
Among other things, it includes detailed instructions telling agencies how to comply with the computer matching provisions in the Privacy Act of 1974.

OMB’s instructions about how to carry out Do Not Pay activities while complying with computer matching requirements include requirements for due process that ensure verification, notice, and opportunity to contest adverse information. Those details, while extremely important otherwise, are not of immediate interest here. Our focus in this analysis is on the privacy requirements OMB set for commercial databases. However, we observe that due process procedures are essential whenever the government considers any action that affects the rights, benefits, or privileges of individuals. We are pleased to see appropriate due process procedures included in the Do Not Pay Initiative as required by law.

DNP Databases and Requirements for Databases

The Do Not Pay Initiative directs agencies to have prepayment and pre-award procedures and to ensure that a thorough review of available databases with relevant information on eligibility occurs. The goal is to determine program or award eligibility and to prevent improper payments before the release of any Federal funds.

Under the 2012 legislation, agencies are generally required to review five existing federal databases prior to payment.

These 2012 databases are:

• Death Master File of the Social Security Administration.

• General Services Administration’s Excluded Parties List System.

• Debt Check Database of the Department of the Treasury.

• Credit Alert System or Credit Alert Interactive Voice Response System of HUD

• List of Excluded Individuals/Entities of the Office of Inspector General of HHS. [33]

The Do Not Pay Initiative also provides for the use of other databases “designated by the Director of the Office of Management and Budget in consultation with agencies and in accordance with paragraph (2).” [34] This is an important distinction.

The current 2013 list, as found on the Treasury Do Not Pay portal as of October 27, 2013, includes all of the 2012 databases and adds the OFAC database and importantly, The Work Number.

Unlike the other databases mentioned on the site, this is not a database that originates with the federal government, therefore, it will be the first database subject to the new OMB guidance for commercial databases.

Paragraph (2) of the OMB memo requires the Director of OMB to consider any database that substantially assists in preventing improper payments and to provide public notice and an opportunity for comments before designating another database for use in the Do Not Pay Initiative. [35] This has not yet been done yet for The Work Number because it is still a pilot program.

OMB’s New Standards and Procedures for Evaluating New Databases

OMB established standards and procedures for evaluating new commercial databases for the Do Not Pay Initiative.

Before designating additional databases, OMB will publish a 30-day notice of the designation proposal in the Federal Register asking for public comment. At the conclusion of the 30-day comment period, if OMB decides to finalize the designation, OMB will publish a notice in the Federal Register to officially designate the database for inclusion in the Do Not Pay Initiative. When considering additional databases for designation, OMB will consider:

1. Statutory or other limitations on the use and sharing of specific data;

2. Privacy restrictions and risks associated with specific data;

3. Likelihood that the data will strengthen program integrity across programs and agencies;

4. Benefits of streamlining access to the data through the central Do Not Pay Initiative;

5. Costs associated with expanding or centralizing access, including modifications needed to system interfaces or other capabilities in order to make data accessible; and

6. Other policy and stakeholder considerations, as appropriate. [36]

Asking for public comments before using a new database for a governmental purpose is a positive step and both welcome and appropriate, but it is not entirely new. The Privacy Act of 1974 requires federal agencies to publish in the Federal Register a notice when it establishes or changes a system of records. [37] Agencies generally accept and consider public comments, and they must do so when proposing or changing a routine use that allows disclosure of personal information. [38] For some privacy affecting activities, agencies must sometimes prepare and publish privacy impact assessments (PIA). [39] Some agencies accept public comments on PIAs.

OMB’s establishment of express standards for making decisions about using new databases appears to be completely new, and it is the first truly groundbreaking aspect of database evaluation in the Do Not Pay Initiative. Neither the Privacy Act of 1974 nor the PIA process requires anything comparable. In addition, OMB itself must officially designate any new databases for Do Not Pay purposes, a step that should prevent poorly-considered undertakings that might occur in the absence of adequate supervision and oversight. [40]

The first of the OMB standards recognizes that existing law may make a database unavailable for Do Not Pay. The third, fourth, and fifth standards cover the value, benefits, and costs associated with using a database. These standards are familiar ground for OMB, and the standards are welcome but are mostly unremarkable.

The second and sixth standards are more creative. The second standard requires consideration of privacy restrictions and risks. This suggests not only that that privacy concerns are relevant to evaluation of a database but also that privacy concern could possibly overcome other factors. The sixth standard calls for other policy and stakeholder considerations. While this standard may not be quite as important for privacy as the second standard, its open-ended invitation for evaluating other policy and stakeholder considerations suggests that other factors and other voices deserve the chance to affect decisions about databases. These are good steps toward a fair evaluation of new personal information resources in federal programs.

The standards and procedures described so far apply to any new databases proposed for use in Do Not Pay. This includes any federally operated databases. OMB’s setting of standards for internal government activities is not unusual. Indeed the five designated databases already approved for Do Not Pay are all federally operated.

Elsewhere in the memo, OMB expressly addresses the possibility of using commercial databases in the Do Not Pay Initiative, something that the 2012 law allows (but does not require). [41] It is here where OMB’s requirements for the use of commercial databases are where the innovations are truly groundbreaking. [42] OMB recognizes the privacy consequences of commercial databases that contain inaccurate or out-of-date information. [43] OMB requires public notice and comment before use of any proposed commercial database. OMB establishes standards that commercial databases must meet. [44] OMB must approve before the Treasury Department can use of a commercial database. This is how OMB explains the new standards:

Because commercial databases used or accessed for purposes of the Do Not Pay Initiative will be used to help agencies make determinations about individuals, it is important that agencies apply safeguards that are similarly rigorous to those that apply to systems of records under the Privacy Act. Thus, commercial data may only be used or accessed for the Do Not Pay Initiative when the commercial data in question would meet the following general standards:

1. Information in commercial databases must be relevant and necessary to meet the objectives described in section 5 of IPERIA.

2. Information in commercial databases must be sufficiently accurate, up-to-date, relevant, and complete to ensure fairness to the individual record subjects.

3. Information in commercial databases must not contain information that describes how any individual exercises rights guaranteed by the First Amendment, unless use of the data is expressly authorized by statute. [45]

It is commendable that OMB establishes standards that commercial databases must meet in order to be used by federal agencies in the Do Not Pay Initiative. It is useful if not so extraordinary that the databases must be relevant and necessary to the goals of the Initiative. [46] Other OMB standards are more interesting and more privacy-protective.

A database used for the Do Not Pay Initiative must be sufficiently accurate, up-to-date, relevant, and complete to ensure fairness to data subjects. [47] These standards for federal use of a commercial database appear to break new ground in several ways. First, the OMB standards are better than those required under the Fair Credit Reporting Act, a law that regulates credit bureaus. The FCRA only requires “reasonable procedures to assume maximum possible accuracy.”[48] The Do Not Pay requirements address accuracy (albeit only sufficient accuracy) and then adds currency, relevance, and completeness, all with an express goal of ensuring fairness to data subjects.

First Amendment limitation

Second, the OMB standards require that a commercial database provided to a federal agency must not contain information that describes how any individual exercises First Amendment rights (except if expressly authorized by statute). Heretofore, that First Amendment limitation only applied to federal agency records. [49]

Written assessment to document suitability and public notice

Third, OMB requires that the Treasury Department prepare and submit to OMB a written assessment to document the suitability of the commercial database for use in Treasury’s Working System. The assessment must explain the need to use or access the data, explain how the data will be used or accessed, provide a description of the data (including each data element that will be used or accessed), and explain how the database meets all applicable requirements in this Memorandum.

Just as important, OMB will provide the written assessment to the public as part of the public comment period. This will oblige any commercial database to demonstrate how it meets the standards and will allow the public a better opportunity to review and comment on the information. [50]

Any commercial database that wants to provide information for federal agencies to use in the Do Not Pay Initiative must meet new and meaningful privacy standards. The agency responsible for central Do Not Pay activities, the Treasury Department, will be unable to incorporate the contents of a commercial database that fails to meet the standards, and there will be an opportunity for public comment and for federal review of the degree to which a commercial database qualifies. In this area, the federal government will not be able to purchase and use a commercial database without regard to the quality and content of the database.

The OMB standards are innovative, creative, and welcome. What the OMB Do Not Pay Memorandum shows is that the federal government may have considerable marketplace power to influence privacy standards for commercial databases. If federal dollars are only used to purchase commercial databases that meet reasonable privacy standards, commercial databases will have a powerful incentive to clean up their acts. The federal government can, if it chooses, use its market power to improve the quality and fairness of privately-owned databases, and it can do so without the need for legislation. Nothing in IPERIA expressly requires OMB to set privacy standards for commercial databases. OMB chose to do so on its own, and for this, OMB deserves much praise. [51]

Limitations

However, the OMB standards do not affect commercial databases made available to customers other than federal agencies. For example, if a database contains prohibited information about First Amendment rights, the database owner can strip out the prohibited information, create a subset of the database for federal consumption, and continue to maintain and sell that information otherwise. Commercial databases can continue to be sold to other customers without meeting any standards for accuracy, currency, relevance, or completeness. However, if database vendors improve the accuracy or currency of data to meet the federal standards, that may result in better quality data for other users as well, and that that would benefit data subjects and data users alike. In effect, any rising tide of accuracy or currency will affect all boats.

Pilot program

Somewhat less welcome is another provision that allows for the use of commercial databases as part of a pilot program that need not satisfy the privacy or other standards set out by OMB. Pilot programs are limited to six months, and they cannot be used to take any adverse action against an individual. [52] The prohibition against adverse actions balances the loosening of standards allowed for pilot programs. Any commercial database actually used for the Do Not Pay Initiative will have to meet the required privacy standards. How the Treasury will evaluate its use of The Work Number in the Do Not Pay Portal will be a major test of the effectiveness of the OMB guidance.

Congress could always pass laws setting privacy standards for commercial databases with information about individual, but there is no evidence that Congress will act any time soon. Overall, the privacy standards for commercial databases that OMB establishes in its Do Not Pay Memorandum are a wonderful precedent. The standards should be considered a first step.

Application of the OMB Standards to the Do Not Pay Portal

The Do Not Pay Portal uses The Work Number in a pilot program. Under the OMB Guidelines, before The Work Number can be fully incorporated into the Do Not Pay Initiative, there must be an opportunity for public notice and comment. How the evaluation is done will say much about whether the process will be meaningful and how the new standards will be applied in practice.

Under the OMB guidance, it appears that the Treasury has a six-month window to use The Work Number without notice, if the database is being used as part of a pilot program. The OMB Guidance took effect as of August 2013, suggesting that of the date of the initial release of this report, Treasury has approximately three months before providing public notice and comment. [53]

If the OMB Guidance is followed, the following things will happen before The Work Number can become a permanent part of the Do Not Pay Initiative:

The Treasury Department must prepare and submit to OMB a written assessment to document the suitability of the commercial database for use in Treasury’s Working System. The assessment must explain the need to use or access the data, explain how the data will be used or accessed, provide a description of the data (including each data element that will be used or accessed), and explain how the database meets all applicable requirements.

OMB will make the Treasury Department’s assessment available to the public.

OMB will provide formal public notice about the proposed use of The Work Number.

The public will have an opportunity to comment on the proposed use of The Work Number.

OMB will take the comments of the public into account in its decision regarding the use of the database.

[39] E-Government Act of 2002, Pub. L. No. 107-347, 44 U.S.C. § 3501 note (“if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.” §208(b)(1)(B)(iii). OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, http://www.whitehouse.gov/omb/memoranda_m03-22 (2003).

[42] There is a vague precedent in the PIA requirements. One of the reasons for conducting a PIA is “when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources. (Merely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement)”. OMB Memorandum M-03-22, Attachment A at § II.B(2)(f). The DNP Initiative’s requirements go much further.

[43] OMB Memorandum M-13-20 at § 11(a).

[44] Id. at § 11(b).

[45] Id. at § 11(b).

[46] The Privacy Act of 1974, a law applicable only to federal agencies, has similar but slightly stronger language. Each agency must “maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.” 5 U.S.C. § 552a(e)(1).

[47] The Privacy Act of 1974 has slightly stronger language. Each agency must “maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.” 5 U.S.C. § 552a(e)(5).

[48] 15 U.S.C. §1681e(b). Presumably, if agencies use credit reports for the DNP Initiative, there must be a determination that the reports meet the higher standards in the OMB Memorandum.

[49] This language also echoes a requirement in the Privacy Act of 1974 that prohibits the maintenance of a record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the data subject or unless within the scope of an authorized law enforcement activity. 5 U.S.C. § 552a(e)(7).

[50] OMB Memorandum M-13-20 at § 11(d) & 5(b).

[51] Several additional requirements pertaining to the use of commercial databases by federal agencies are also welcome although familiar. The Treasury Department is obliged to establish rules of conduct for persons involved in the use of or access to commercial databases. Training and penalties for noncompliance are also required, as appropriate. OMB Memorandum M-13-20 at § 11(c)(1). These requirements are similar to existing provisions in the Privacy Act of 1974 that require “appropriate administrative, technical, and physical safeguards.” 5 U.S.C. § 552a(e)(10). Treasury must also establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of information in commercial databases when Treasury controls the information. OMB Memorandum M-13-20 at § 11(c)(2). These requirements are similar to existing provisions in the Privacy Act of 1974 that require “appropriate administrative, technical, and physical safeguards.” 5 U.S.C. § 552a(e)(10). Additionally, in the memorandum, OMB reminds agencies that information in commercial databases used in the DNP Initiative may constitute a system of records or become part of a system of records and would therefore be subject to all Privacy Act requirements. It is important that any information used use in making a decision become part of a system of record so that individuals have an opportunity to see and challenge the information. OMB Memorandum M-13-20 at § 11(f). These provisions are not novel, but the repetition is welcome nevertheless.

This new WPF report finds that medical identity theft is still a crime that causes great harms to its victims, and that it is growing overall in the United States; however, there’s a catch. The national consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.” These hotspots are important for patients, policymakers, and healthcare stakeholders to know about so as to address potential risks.

WPF has conducted original research on India's Aadhaar, a national biometric ID system, including field research in India during 2010-2014. WPF has published the original research in a peer-reviewed journal, Nature-Springer, and in Harvard-based Journal of Technology Science. The research found that systemic challenges to data protection and privacy exist in the Aadhaar system, challenges which do have potential remedies. Key lessons can be learned for both the US and the EU as biometric systems grow in popularity.